Certificate Revocation List Flaw or Vulnerability

Certificate Revocation List Flaw or Vulnerability

am 07.07.2004 17:11:43 von rlabbe

All,

I=92m not sure if this would be considered a vulnerability or lack of
functionality of Mod_SSL or OpenSSL

Test Platform

Red Hat Linux 90
Apache 1331
Mod_SSL 2818
OpenSSL 097d

Apache server is configured for client authentication using digital
certificates and validation of a certificate revocation list (CRL) file=


Certificate Revocation List Concern:

If using the Certificate File directive for a CRL, Apache will start with
an expired CRL file I am trusting several Certificate Authorities, but
only have one CRL file (expired) from one of the CAs I am allowed acces=
s
using a revoked certificate as long as it is not issued from the CA of the=

expired CRL file I am not allowed access if I select a certificate issu=
ed
from the CA of the CRL file I=92m using The logging is correct in that
Apache is going to deny access for all clients of that particular CA until=

I get a new CRL.

If using the Symbolic Link directive for the CRL file, Apache will start
with NO CRL file available Apache will allow revoked certificates to
access all protected pages.

I=92ve also noticed a similar behavior with path validation when using cli=
ent
authentication and digital certificates It seems as though Apache will
allow access as long as it can find a CA it trusts in the chain of the
client=92s certificate Shouldn=92t Apache/Mod_SSL validate the trust of=
each
CA in the path for a client certificate? You can configure how deep to
validate the certificate, but it seems as though it=92s just going to chec=
k
as far up the chain until it finds a CA certificate it trusts and then
stops

Internet Explorer was vulnerable to this type of attack because the browse=
r
did not validate the trust of each certificate in the chain Someone cou=
ld
stand up their own CA using OpenSSL and issue digital certificates using a=

signed certificate from a higher level CA Internet Explorer would just
look through the tree until it found a CA that was trusted instead of
alerting the user that a rogue CA certificate had been found in the path=


Any feedback would be appreciated.

Thanks,

Rene



------------------------------------------------------------ --------
mail2web - Check your email from the web at
http://mail2webcom/


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org